• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Integrated Security Question

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Integrated Security Question Page: [1]
Login
Message << Older Topic   Newer Topic >>
Integrated Security Question - 30.Aug.2002 2:28:00 PM   
ProtoCallMike

 

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline
Does integrated security work with the firewall client, or does it just utilize the web proxy service. I have a test ISA server setup with outgoing web requests being processed just using integrated security. Without using the proxy settings in IE and just using the firewall client, my requests get denied. But when I enter the proxy info into IE, it works like a champ.
Post #: 1
RE: Integrated Security Question - 30.Aug.2002 6:23:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

Firewall clients send credentials in the background using NTLM or Kerberos, depending on what OSs and setup you have.

HTH,
Tom

(in reply to ProtoCallMike)
Post #: 2
RE: Integrated Security Question - 30.Aug.2002 6:28:00 PM   
ProtoCallMike

 

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline
The setup I am using is ISA Installed on a Win2k SP2 server. I am trying to get out to the web using a machine running Win2k SP3 and IE6. With Integrated security for outgoing requests turned on, it will not let me out to the web and gives me this message

403 Forbidden - The ISA Server denies the specified Uniform Resource Locator (URL). (12202)
Internet Security and Acceleration Server

Is there something other than specifying in the Access policy who has access to the web that I need to do with this security turned on?

(in reply to ProtoCallMike)
Post #: 3
RE: Integrated Security Question - 2.Sep.2002 1:34:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

The firewall service doesn't forward requests to the Web Proxy service. If you have authentication required to access the Web Proxy service, then you'll need to configure the Web Proxy client.

HTH,
Tom

(in reply to ProtoCallMike)
Post #: 4
RE: Integrated Security Question - 3.Sep.2002 2:23:00 PM   
ProtoCallMike

 

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline
But can I use just the firewall client to authenticate users requests for web access? If so, what am I missing?

(in reply to ProtoCallMike)
Post #: 5
RE: Integrated Security Question - 3.Sep.2002 4:16:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

If that's all you want, you can configure the HTTP Redirector to forward requests directly to the Web server.

HTH<
Tom

(in reply to ProtoCallMike)
Post #: 6
RE: Integrated Security Question - 3.Sep.2002 5:10:00 PM   
ProtoCallMike

 

Posts: 28
Joined: 20.Mar.2001
From: Hamitlon, OH 45015
Status: offline
I'm sorry, I think we are getting mixed up here. We don't have a web server. I want to use Integrated Authentication and the firewall client to allow my internal users out to the internet. I currently just have Integrated Authentication turned on as the only authentication mechanism for outgoing requests. And in the Site and Content Rules as well as the Protocol Rules I have a rule setup to allow just me and one other user out to the internet for testing. I don't want to specify the proxy settings for the web browser, but that is the only way I can get out to the internet. Thanks for your replies and hopefully I am just missing something here. [Smile]

(in reply to ProtoCallMike)
Post #: 7
RE: Integrated Security Question - 4.Sep.2002 6:14:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
You will find that if you are creating rules, that only give access to certain users/groups, based on your site and content rules, and your protocol rules, and you have the HTTP redirector set to send all requests to the web proxy service, then only those users/groups that you gave access to will be able to get out through ISA, and the users/groups will need to have the proxy setting defined in there IE. This is because SNAT clietns and firewall clients cannot authenticate to the webproxy service. To get around this you will need to create a separate S&C rule, and protocol rule for each client that doesnt have proxy defined in there IE. This will allow these clients to bypass the webpoxy service.

(in reply to ProtoCallMike)
Post #: 8
RE: Integrated Security Question - 4.Sep.2002 6:15:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
You will find that if you are creating rules, that only give access to certain users/groups, based on your site and content rules, and your protocol rules, and you have the HTTP redirector set to send all requests to the web proxy service, then only those users/groups that you gave access to will be able to get out through ISA, and the users/groups will need to have the proxy setting defined in there IE. This is because SNAT clietns and firewall clients cannot authenticate to the webproxy service. To get around this you will need to create a separate S&C rule, and protocol rule for each client that doesnt have proxy defined in there IE. This will allow these clients to bypass the webpoxy service.

(in reply to ProtoCallMike)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Integrated Security Question Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts